下面是W32Dasm反汇编的一段代码,软件用查壳工具查壳: Borland Delphi 6.0 - 7.0,没有加壳,截取代码如下
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004ECA0A(C)
|
:004ECA1B 8D956CFFFFFF lea edx, dword ptr [ebp+FFFFFF6C]
:004ECA21 8B83FC020000 mov eax, dword ptr [ebx+000002FC]
:004ECA27 E86860F5FF call 00442A94
:004ECA2C 8B856CFFFFFF mov eax, dword ptr [ebp+FFFFFF6C]
:004ECA32 50 push eax
:004ECA33 8D9560FFFFFF lea edx, dword ptr [ebp+FFFFFF60]
:004ECA39 8B83F8020000 mov eax, dword ptr [ebx+000002F8]
:004ECA3F E85060F5FF call 00442A94
:004ECA44 8B8560FFFFFF mov eax, dword ptr [ebp+FFFFFF60]
:004ECA4A E869C6F1FF call 004090B8
:004ECA4F 8D9564FFFFFF lea edx, dword ptr [ebp+FFFFFF64]
:004ECA55 E86EFBFFFF call 004EC5C8
:004ECA5A 8B8564FFFFFF mov eax, dword ptr [ebp+FFFFFF64]
:004ECA60 E853C6F1FF call 004090B8
:004ECA65 8D9568FFFFFF lea edx, dword ptr [ebp+FFFFFF68]
:004ECA6B E838FCFFFF call 004EC6A8
:004ECA70 8D8568FFFFFF lea eax, dword ptr [ebp+FFFFFF68]
:004ECA76 BAB8CB4E00 mov edx, 004ECBB8
:004ECA7B E89C80F1FF call 00404B1C
:004ECA80 8B9568FFFFFF mov edx, dword ptr [ebp+FFFFFF68]
:004ECA86 58 pop eax
:004ECA87 E8CC81F1FF call 00404C58
:004ECA8C 0F8586000000 jne 004ECB18
在代码最后一句为什么jne 对应的机器码不是75,用OD载入后该处对应的机器码依然是OF,在很多代码中我都看见这种情况,我实在水平太差,想不通,是不是软件被加密了而查壳查不出来,不知哪位可以告诉我,先谢谢了。
[课程]FART 脱壳王!加量不加价!FART作者讲授!